WordPress Plugin Vulnerabilities

Coding Blocks <= 1.1.0 - Cross-Site Request Forgery to Settings Update

Description

The Coding Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update plugin settings including the theme configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
coding-blocks
No known fix

References

CVE
CVE-2025-14158
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5a4833de-d530-4bbf-ac28-e5d4b5f68f1e

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Muhammad Nur Ibnu Hubab (Ibnu)
Verified
No
WPVDB ID
58523e73-e93c-4b8e-a23a-6fc5a9be4d43

Timeline

Publicly Published
2025-12-11 (about 3 months ago)
Added
2025-12-11 (about 3 months ago)
Last Updated
2025-12-12 (about 3 months ago)

Other

Published
Title
Published
2023-07-10
Title
WooCommerce Pre-Orders < 2.0.3 - Unauthorised Actions via CSRF
Published
2025-03-04
Title
I Am Gloria <= 1.1.4 - Cross-Site Request Forgery
Published
2018-03-29
Title
WP Image Zoom <= 1.23 - Cross-Site Request Forgery (CSRF)
Published
2023-10-17
Title
Stripe Gateway < 7.6.1 - Cross-Site Request Forgery
Published
2024-03-13
Title
Super Page Cache for Cloudflare < 4.7.6 - Cross-Site Request Forgery